"Just to be clear, we're not headed toward a version 2.0 right now. We're definitely not," Matt Barrett, the NIST program manager overseeing the cybersecurity framework updates, said in a recent interview. "We're headed to something that's more like a 1.1."

A new section on cybersecurity measurement. According to the draft, measuring security status and trends over time - internally, through external audit and through conformity assessment - enables an organization to understand and convey meaningful risk information. "In the update we introduce the notion of cybersecurity measurement to get the conversation started," Barrett said. "Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion."

Types of Framework Measurements

Note: Measures are concrete, usually measure one thing and are quantitative in nature. Metrics describe a quality and require a measurement baseline. Source: NIST

A greatly expanded explanation of using the framework for cyber supply chain risk management purposes. An expanded section on communicating cybersecurity requirements with stakeholders, NIST contends, should help users better understand cyber supply chain risk management. NIST also added a supply chain risk management category to the framework core. "A primary objective of cyber SCRM is to identify, assess and mitigate products and services that may contain potentially malicious functionality, are counterfeit or are vulnerable due to poor manufacturing and development practices within the cyber supply chain," the draft states.

Supply Chain Relationships

Source: NIST

Revised language in the access control category to account for authentication, authorization and identity proofing by adding a subcategory. Identity proofing verifies an individual's identity before they're issued credentials. Also, the category has been renamed identity management and access control to better represent its scope and subcategories.

A better explanation of the relationship between implementation tiers and profiles. Implementation tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. Profiles represent the outcomes based on business needs that an organization has selected from the framework categories. Profiles can be characterized as the alignment of standards, guidelines and practices to the framework core in a particular implementation scenario.

NIST Seeks Stakeholder Feedback

In a February 2013 executive order, President Barack Obama directed NIST to create the cybersecurity framework to help the operators of the mostly privately owned critical infrastructure to safeguard their information assets (see Obama Issues Cybersecurity Executive Order). NIST published the framework a year later (see NIST Releases Cybersecurity Framework). It's been widely adopted by critical infrastructure and other organizations in and out of government.

Congress, in enacting the Cybersecurity Enhancement Act of 2014, codified the framework into law (see Codifying Process That Created the Cybersecurity Framework). The law establishes a process for the government to develop IT security best practices with advice from industry that organizations can voluntarily adopt.

Draft 1.1 incorporates feedback NIST has received from stakeholders since the initial release of the framework and integrates comments received from a December 2015 request for information and from attendees at a cybersecurity framework workshop held last year at its Gaithersburg, Md., headquarters.

NIST is seeking comments on draft 1.1 from stakeholders. Comments should be sent to cyberframework@nist.gov by April 10.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.